Optimized authentication mechanism

ABSTRACT

A method including receiving, at a processor, credential requests for accessing the VPN environment from a first user device using a first interface and from a second user device using a second interface; transmitting, to the first user device, a first credential based at least in part on the first user device using the first interface; and transmitting, to the second user device, a second credential based at least in part on the second user device using the second interface, the first credential being different from the second credential. Various other aspects are contemplated.

CROSS REFERENCE

This application is a continuation of U.S. Non-Provisional Pat.Application No. 17/503,346, filed on Oct. 17, 2021, and titled“Optimized Authentication Mechanism,” the entire contents of which areincorporated herein by reference.

FIELD OF DISCLOSURE

Aspects of the present disclosure generally relate to a virtual privatenetwork (VPN), and more particularly to providing an optimizedauthentication mechanism in a VPN.

BACKGROUND

Global Internet users increasingly rely on VPN services to preservetheir privacy, to circumvent censorship, and/or to access geo-filteredcontent. Originally developed as a technology to privately send andreceive data across public networks, VPNs are now used broadly as aprivacy-preserving technology that allows Internet users to obscure notonly the communicated data but also personal information such as, forexample, web browsing history from third parties including Internetservice providers (ISPs), Spywares, or the like. A VPN service providermay offer a secure private networking environment within a publiclyshared, insecure infrastructure through encapsulation and encryption ofthe data communicated between a VPN client application (or VPNapplication) installed on a user device and a remote VPN server.

Most VPN providers rely on a tunneling protocol to create the secureprivate networking environment, which adds a layer of security toprotect each IP packet of the communicated data during communicationover the Internet. Tunneling may be associated with enclosing an entireIP packet within an outer IP packet to form an encapsulated IP packet,and transporting the enclosed IP packet over the Internet. The outer IPpacket may protect contents of the enclosed IP packet from public viewby ensuring that the enclosed IP packet is transmitted over the Internetwithin a virtual tunnel. Such a virtual tunnel may be a point-to-pointtunnel established between the user device and the VPN server. Theprocess of enclosing the entire IP packet within the outer IP packet maybe referred to as encapsulation. Computers, servers, or other networkdevices at ends of the virtual tunnel may be referred to as tunnelinterfaces and may be capable of encapsulating outgoing IP packets andof unwrapping incoming encapsulated IP packets.

Encryption may be associated with changing the data from being in atransparently readable format to being in an encoded, unreadable formatwith the help of an encryption algorithm. Decryption may be associatedwith changing the data from being in the encoded, unreadable format tobeing in the transparently readable format with the help of a decryptionalgorithm. In an example, encoded/encrypted data may bedecoded/decrypted with only a correct decryption key. In a VPN,encryption may render the communicated data unreadable or indecipherableto any third party. At a basic level, when the user launches theinstalled VPN application and connects to the VPN server, the VPNapplication may encrypt all contents of the data before transmissionover the Internet to the VPN server. Upon receipt, the VPN server maydecrypt the encrypted data and forward the decrypted data to an intendedtarget via the Internet. Similarly, the VPN server may encrypt allcontents of the data before transmission over the Internet to the userdevice. Upon receipt, the VPN application on the user device may decryptthe encrypted data and provide the decrypted data to the user.

VPNs generally use different types of encryption and decryptionalgorithms to encrypt and decrypt the communicated data. Symmetricencryption may utilize encryption and decryption algorithms that rely ona single private key for encryption and decryption of data. Symmetricencryption is considered to be relatively speedy. One example of anencryption and decryption algorithm utilized by symmetric encryption maybe an AES encryption cipher. Asymmetric encryption, on the other hand,may utilize encryption and decryption algorithms that rely on twoseparate but mathematically-related keys for encryption and decryptionof data. In one example, data encrypted using a public key may bedecrypted using a separate but mathematically-related private key. Thepublic key may be publicly available through a directory, while theprivate key may remain confidential and accessible by only an owner ofthe private key. Asymmetric encryption may also be referred to as publickey cryptography. One example of an encryption and decryption algorithmutilized by asymmetric encryption may be Rivest-Shamir-Adleman (RSA)protocol.

In a VPN, keys for encryption and decryption may be randomly generatedstrings of bits. Each key may be generated to be unique. A length of anencryption key may be given by a number of the randomly generated stringbits, and the longer the length of the encryption key, the stronger theencryption is.

VPNs may employ user authentication, which may involve verification ofcredentials required to confirm authenticity/identity of the user. Forinstance, when a user launches the VPN application to request a VPNconnection, the VPN service provider may authenticate the user deviceprior to providing the user device with access to VPN services. In thisway, user authentication may provide a form of access control.Typically, user authentication may include verification of a uniquecombination of a user ID and password. To provide improved security inthe VPN, user authentication may include additional factors such asknowledge, possession, inheritance, or the like. Knowledge factors mayinclude items (e.g., pin numbers) that an authentic user may be expectedto know. Possession factors may include items (e.g., one-time password(OTP) tokens) that an authentic user may be expected to possess at atime associated with the authentication. Inherent factors may includebiometric items (e.g., fingerprint scans, retina scans, iris scans, orthe like) that may be inherent traits of an authentic user.

A VPN may be associated with a network of VPN servers, typicallydeployed in various geographic locations. A VPN server may be a physicalserver or a virtual server configured to host and/or globally deliverVPN services to the user. A server may be a combination of hardware andsoftware, and may include logical and physical communication ports. Whenlaunched, the VPN application may connect with a selected VPN server forsecure communication of data via the virtual tunnel.

The VPN application, installed on the user device, may utilizesoftware-based technology to establish a secure connection between theuser device and a VPN server. Some VPN applications may automaticallywork in the background on the user device while other VPN applicationsmay include front-end interfaces to allow the user to interact with andconfigure the VPN applications. VPN applications may often be installedon a computer (e.g., user device), though some entities may provide apurpose-built VPN application as a hardware device that is pre-installedwith software to enable the VPN. Typically, a VPN application mayutilize one or more VPN protocols to encrypt and decrypt thecommunicated data. Some commonly used VPN protocols may include OpenVPN,SSTP, PPTP, L2TP/IPsec, SSL/TLS, Wireguard, IKEv2, and SoftEther.

SUMMARY

In one aspect, the present disclosure contemplates a method in a virtualprivate network (VPN) service environment, the method includingreceiving, at a processor, credential requests for accessing the VPNenvironment from a first user device using a first interface and from asecond user device using a second interface; transmitting, to the firstuser device, a first credential based at least in part on the first userdevice using the first interface; and transmitting, to the second userdevice, a second credential based at least in part on the second userdevice using the second interface, the first credential being differentfrom the second credential.

In another aspect, the present disclosure contemplates a deviceassociated with a VPN, the device comprising a memory and a processorcommunicatively coupled to the memory, the processor being configuredto: receive, at a processor, credential requests for accessing the VPNenvironment from a first user device using a first interface and from asecond user device using a second interface; transmit, to the first userdevice, a first credential based at least in part on the first userdevice using the first interface; and transmit, to the second userdevice, a second credential based at least in part on the second userdevice using the second interface, the first credential being differentfrom the second credential.

In another aspect, the present disclosure contemplates a non-transitorycomputer readable medium storing instructions, which when executed by aprocessor cause the processor to: receive, at a processor, credentialrequests for accessing the VPN environment from a first user deviceusing a first interface and from a second user device using a secondinterface; transmit, to the first user device, a first credential basedat least in part on the first user device using the first interface; andtransmit, to the second user device, a second credential based at leastin part on the second user device using the second interface, the firstcredential being different from the second credential.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory innature and are intended to provide an understanding of the presentdisclosure without limiting the scope thereof. In that regard,additional aspects, features, and advantages of the present disclosurewill be apparent to one skilled in the art from the following detaileddescription.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings illustrate aspects of systems, devices,methods, and/or mediums disclosed herein and together with thedescription, serve to explain the principles of the present disclosure.Throughout this description, like elements, in whatever aspectdescribed, refer to common elements wherever referred to and referencedby the same reference number. The characteristics, attributes,functions, interrelations ascribed to a particular element in onelocation apply to those elements when referred to by the same referencenumber in another location unless specifically stated otherwise.

The figures referenced below are drawn for ease of explanation of thebasic teachings of the present disclosure; the extensions of the figureswith respect to number, position, relationship, and dimensions of theparts to form the following aspects may be explained or may be withinthe skill of the art after the following description has been read andunderstood. Further, exact dimensions and dimensional proportions toconform to specific force, weight, strength, and similar requirementswill likewise be within the skill of the art after the followingdescription has been read and understood.

The following is a brief description of each figure used to describe thepresent disclosure, and thus, is being presented for illustrativepurposes only and should not be limitative of the scope of the presentdisclosure.

FIG. 1 is an illustration of an example system associated with providingan optimized authentication mechanism in a VPN, according to variousaspects of the present disclosure.

FIG. 2 is an illustration of an example flow associated with providingan optimized authentication mechanism in a VPN, according to variousaspects of the present disclosure.

FIG. 3 is an illustration of an example process associated withproviding an optimized authentication mechanism in a VPN, according tovarious aspects of the present disclosure.

FIG. 4 is an illustration of an example process associated withproviding an optimized authentication mechanism in a VPN, according tovarious aspects of the present disclosure.

FIG. 5 is an illustration of example devices associated with providingan optimized authentication mechanism in a VPN, according to variousaspects of the present disclosure.

DETAILED DESCRIPTION

For the purposes of promoting an understanding of the principles of thepresent disclosure, reference will now be made to the aspectsillustrated in the drawings, and specific language may be used todescribe the same. It will nevertheless be understood that no limitationof the scope of the disclosure is intended. Any alterations and furthermodifications to the described devices, instruments, methods, and anyfurther application of the principles of the present disclosure arefully contemplated as would normally occur to one skilled in the art towhich the disclosure relates. In particular, it is fully contemplatedthat the features, components, and/or steps described with respect toone aspect may be combined with the features, components, and/or stepsdescribed with respect to other aspects of the present disclosure. Forthe sake of brevity, however, the numerous iterations of thesecombinations may not be described separately. For simplicity, in someinstances the same reference numbers are used throughout the drawings torefer to the same or like parts.

FIG. 1 is an illustration of an example system 100 associated withproviding an optimized authentication mechanism in a VPN, according tovarious aspects of the present disclosure. Example 100 shows anarchitectural depiction of components included in system 100. In someaspects, the components may include a user device 102 capable ofcommunicating with one or more VPN servers 120 and with a VPN serviceprovider (VSP) control infrastructure 104 over a network 122. The VSPcontrol infrastructure 104 may be controlled by a VPN service providerand may include an application programming interface (API) 106, a userdatabase 108, processing unit 110, a server database 116, and the one ormore VPN servers 120. As shown in FIG. 1 , the API 106 may be capable ofcommunicating with the user database 108 and with the processing unit110. Additionally, the processing unit 110 may be capable ofcommunicating with the server database, which may be capable ofcommunicating with a testing module (not shown). The testing module maybe capable of communicating with the one or more VPN servers 120 overthe network 122. The processing unit 110 may be capable of controllingoperation of the one or more VPN servers 120.

The user device 102 may be a physical computing device capable ofhosting a VPN application and of connecting to the network 122. The userdevice 102 may be, for example, a laptop, a mobile phone, a tabletcomputer, a desktop computer, a smart device, a router, or the like. Insome aspects, the user device 102 may include, for example,Internet-of-Things (IoT) devices such as VSP smart home appliances,smart home security systems, autonomous vehicles, smart health monitors,smart factory equipment, wireless inventory trackers, biometric cybersecurity scanners, or the like. The network 122 may be any digitaltelecommunication network that permits several nodes to share and accessresources. In some aspects, the network 122 may include one or more of,for example, a local-area network (LAN), a wide-area network (WAN), acampus-area network (CAN), a metropolitan-area network (MAN), ahome-area network (HAN), Internet, Intranet, Extranet, and Internetwork.

The VSP control infrastructure 104 may include a combination of hardwareand software components that enable provision of VPN services to theuser device 102. The VSP control infrastructure 104 may interface with(the VPN application on) the user device 102 via the API 106, which mayinclude one or more endpoints to a defined request-response messagesystem. In some aspects, the API 106 may be configured to receive, viathe network 122, a connection request from the user device 102 toestablish a VPN connection with a VPN server 120. The connection requestmay include an authentication request to authenticate the user device102 and/or a request for an IP address of an optimal VPN server forestablishment of the VPN connection therewith. In some aspects, anoptimal VPN server may be a single VPN server 120 or a combination ofone or more VPN servers 120. The API 106 may receive the authenticationrequest and the request for an IP address of an optimal VPN server in asingle connection request. In some aspects, the API 106 may receive theauthentication request and the request for an IP address of an optimalVPN server in separate connection requests.

The API 106 may further be configured to handle the connection requestby mediating the authentication request. For instance, the API 106 mayreceive from the user device 102 credentials including, for example, aunique combination of a user ID and password for purposes ofauthenticating the user device 102. In another example, the credentialsmay include a unique validation code known to an authentic user. The API106 may provide the received credentials to the user database 108 forverification.

The user database 108 may include a structured repository of validcredentials belonging to authentic users. In one example, the structuredrepository may include one or more tables containing valid uniquecombinations of user IDs and passwords belonging to authentic users. Inanother example, the structured repository may include one or moretables containing valid unique validation codes associated withauthentic users. The VPN service provider may add or delete such validunique combinations of user IDs and passwords from the structuredrepository at any time. Based at least in part on receiving thecredentials from the API 106, the user database 108 and a processor(e.g., the processing unit 110 or another local or remote processor) mayverify the received credentials by matching the received credentialswith the valid credentials stored in the structured repository. In someaspects, the user database 108 and the processor may authenticate theuser device 102 when the received credentials match at least one of thevalid credentials. In this case, the VPN service provider may provideVPN services to the user device 102. When the received credentials failto match at least one of the valid credentials, the user database 108and the processor may fail to authenticate the user device 102. In thiscase, the VPN service provider may decline to provide VPN services tothe user device 102.

When the user device 102 is authenticated, the user device 102 mayinitiate a VPN connection and may transmit to the API 106 a request foran IP address of an optimal VPN server. The processing unit 110 includedin the VSP control infrastructure may be configured todetermine/identify a single VPN server 120 as the optimal server or alist of VPN servers. The processing unit 110 may utilize the API 106 totransmit the IP address of the optimal server or IP addresses of the VPNservers 120 included in the list to the user device 102. In the casewhere the list of IP addresses of the VPN servers 120 is provided, theuser device 102 may have an option to select a single VPN server 120from among the listed VPN servers as the optimal server 120. The userdevice 102 may transmit an initiation request to establish a VPNconnection (e.g., an encrypted tunnel) with the optimal VPN server. Insome aspects, the optimal VPN server with which the user deviceestablishes the encrypted tunnel may be referred to as a primary VPNserver or an entry VPN server. In some aspects, a VPN server 120 may bea piece of physical or virtual computer hardware and/or software capableof securely communicating with (the VPN application on) the user device102 for provision of VPN services.

The processing unit 110 may be a logical unit including a scoringengine. The processing unit 110 may include a logical componentconfigured to perform complex operations to compute numerical weightsrelated to various factors associated with the VPN servers 120. Thescoring engine may likewise include a logical component configured toperform arithmetical and logical operations to compute a server penaltyscore for one or more of the VPN servers 120.

In some aspects, based at least in part on server penalty scorescalculated via the complex operations and/or the arithmetical andlogical operations, the processing unit 110 may determine an optimal VPNserver. In one example, the processing unit 110 may determine the VPNserver 120 with the lowest server penalty score as the optimal VPNserver. In another example, the processing unit 110 may determine thelist of optimal VPN servers by including, for example, three (or anyother number) VPN servers 120 with the three lowest server penaltyscores.

One or more components (e.g., API 106, user database 108, processingunit 110, and/or server database 116) included in the VSP controlinfrastructure 104 may further be associated with acontroller/processor, a memory, a communication interface, or acombination thereof (e.g., FIG. 5 ). For instance, the one or morecomponents of the set of components may include or may be included in acontroller/processor, a memory, or a combination thereof. In someaspects, the one or more of the components included in the VSP controlinfrastructure 104 may be separate and distinct from each other.Alternatively, in some aspects, one or more of the components includedin the VSP control infrastructure 104 may be combined with one or moreof other components included in the VSP control infrastructure 104. Insome aspects, the one or more of the components included in the VSPcontrol infrastructure 104 may be local with respect to each other.Alternatively, in some aspects, one or more of the components includedin the VSP control infrastructure 104 may be located remotely withrespect to one or more of other components included in the VSP controlinfrastructure 104. Additionally, or alternatively, one or morecomponents of the components included in the VSP control infrastructure104 may be implemented at least in part as software stored in a memory.For example, a component (or a portion of a component) may beimplemented as instructions or code stored in a non-transitorycomputer-readable medium and executable by a controller or a processorto perform the functions or operations of the component. Additionally,or alternatively, a set of (one or more) components shown in FIG. 1 maybe configured to perform one or more functions described as beingperformed by another set of components shown in FIG. 1 .

As indicated above, FIG. 1 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 1 .

User devices may request a VSP control infrastructure to provide accessto an associated VPN environment. The user devices may use a webinterface (e.g., via a website) or a client application (e.g.,application interface) to transmit the request. The client applicationmay be associated with and/or provided by the VSP controlinfrastructure. A user device may be a known user device that has beenpreviously registered with the VSP control infrastructure or may be anunknown user device that has not previously been registered with the VSPcontrol infrastructure. Using the web interface may enable the userdevice to receive access to perform administrative tasks such as, forexample, determine available VPN services and associated costs, editinformation (e.g., address, password, etc.) associated with the userdevice, or the like. Using the application interface may enable the userdevice to receive access to obtain VPN services including, for example,transmitting data requests and receiving data of interest.

Typically, the VSP control infrastructure may utilize a first API toservice a user device using the web interface and a second API toservice a user device using the application interface. The first API mayconduct a first authentication to enable the user device to receiveaccess to perform administrative tasks and the second API may conduct asecond authentication to enable the user device to receive access toobtain VPN services. Maintaining a plurality of APIs and managing aplurality of authentication processes may consume resources associatedwith the VSP control infrastructure (e.g., management resources,processing resources, consumed power, network bandwidth, storageresources, etc.) that may otherwise be utilized to perform more suitabletasks associated with the VPN.

Alternatively, the VSP control infrastructure may utilize a single APIto service a user device using the web interface and a user device usingthe application interface. In this case, the single API may similarlyauthenticate the user device using the web interface and the user deviceusing the application interface. As a result, the user device using theweb interface may be provided with a similar level of access to VPNservices as the user device using the application interface. In suchsituations, the user device using the web interface may remain connectedto the VPN environment for a threshold duration of time, during whichprivate data associated with the user device may become compromised. Inan example, private data (e.g., a location of the user device, anidentity of an owner of the user device, a list of websites visited bythe user device, a nature of data requested by the user device, or thelike) communicated via the web interface may be cached and/or traced bythird party trackers. In another example, the web interface may allowharmful content (e.g., cookies, malware, etc.) to be stored on the userdevice, thereby enabling unauthorized access to the user device.Additionally, the harmful content may cause damage to the user device.

Various aspects of systems and techniques discussed in the presentdisclosure enable providing an optimized authentication mechanism in aVPN. In some aspects, a VSP control infrastructure may configure asingle API to service a user device requesting the VSP controlinfrastructure for access to the VPN using an application interface anda user device requesting the VSP control infrastructure for access tothe VPN using a web interface. In some aspects, the VSP controlinfrastructure may utilize the single API to authenticate the userdevice using the application interface differently with respect to theuser device using the web interface. For instance, the VSP controlinfrastructure may configure the single API to provide the user deviceusing the application interface with a first level of access and toprovide the user device using the web interface with a second level ofaccess. In some aspects, the first level of access may include accessfor a first duration of time and the second level of access may includeaccess for a second duration of time, the first duration of time beinglonger than the second duration of time. Further, the first level ofaccess may include access for obtaining VPN services and the secondlevel of access may include access for performing administrative tasks.In this way, by providing the optimized authentication mechanism, theVSP control infrastructure may mitigate having to maintain a pluralityof APIs and to manage a plurality of authentication processes, therebyenabling efficient utilization of resources associated with the VSPcontrol infrastructure (e.g., management resources, processingresources, consumed power, network bandwidth, storage resources, etc.)for more suitable tasks associated with the VPN. Further, the VSPcontrol infrastructure may mitigate instances of private data associatedwith the user device becoming compromised and/or instances of damage tothe user device.

In some aspects, a processor (e.g., processing unit 110, processor 620,etc.) associated with the VSP control infrastructure may receivecredential requests for accessing the VPN environment from a first userdevice using a first interface and from a second user device using asecond interface, transmit, to the first user device, a first credentialbased at least in part on the first user device using the firstinterface, and transmit, to the second user device, a second credentialbased at least in part on the second user device using the secondinterface, the first credential being different from the secondcredential.

FIG. 2 is an illustration of an example flow associated with providingan optimized authentication mechanism in a VPN, according to variousaspects of the present disclosure. In the example flow 200, a first userdevice 102 and a second user device 102 (collectively, “user devices102”) may be in communication with a VSP control infrastructure 104. Insome aspects, the user devices 102 and the VSP control infrastructure104 may communicate over a network (e.g., network 122). In some aspects,the user devices 102 may communicate with the VSP control infrastructure104 via the single API (e.g., API 106).

As shown by reference numeral 210, the user devices 102 may transmitcredential requests to the VSP control infrastructure 104 for purposesof accessing a VPN environment associated with the VSP controlinfrastructure 104. In some aspects, the user devices 102 may usevarious interfaces to transmit the credential requests. In an example,the first user device 102 may use a VPN application interface (e.g.,first interface) to transmit the credential request. In some aspects,using the VPN application interface may include using a clientapplication 112 provided by, for example, a VSP associated with the VSPcontrol infrastructure 104 and installed on the first user device 102.In another example, the second user device 102 may use a web interface(e.g., second interface) to transmit the credential request. In someaspects, using the web interface may include using a web browser tocommunicate data utilizing a hypertext transfer protocol (e.g., HTTP,HTTPS, etc.) over the Internet. In some aspects, a single user device102 (e.g., the first user device 102 or the second user device 102) mayuse the VPN application interface to transmit a first credential requestand may use the web interface to transmit a second credential request.In other words, the VSP control infrastructure 104 may receive aplurality of credential requests using respective interfaces from asingle user device 102.

As shown by reference numeral 220, the VSP control infrastructure 104may perform authentication of the user devices 102. In some aspects, theauthentication may include determining whether the interfaces used bythe user devices 102 are associated with an authenticated certificate.In some aspects, the VSP control infrastructure 104 may perform theauthentication based at least in part on information provided in thecredential requests. For instance, the VSP control infrastructure 104may determine whether the credential requests include informationindicating that the user devices 102 are using interfaces associatedwith authenticated certificates. In an example, with respect to thefirst user device 102, the VPN application interface may or may not beassociated with an authenticated certificate. When the VSP controlinfrastructure 104 determines that the first user device 102 is using aVPN application interface that is associated with the authenticatedcertificate, the VSP control infrastructure 104 may authenticate thefirst user device 102 as a user device that is using an interface thatis associated with the authenticated certificate, and may determine thata long-term credential (e.g., first credential) is to be transmitted tothe first user device 102. Alternatively, when the VSP controlinfrastructure 104 determines that the first user device 102 is using aVPN application interface that is not associated with the authenticatedcertificate, the VSP control infrastructure 104 may authenticate thefirst user device 102 as a user device that is using an interface thatis not associated with the authenticated certificate, and may determinethat a short-term credential (e.g., second credential) is to betransmitted to the first user device 102. With respect to the seconduser device 102, the web interface may be unable to be associated withthe authenticated certificate. In this case, the VSP controlinfrastructure 104 may authenticate the second user device 102 as a userdevice that is using an interface that is not associated with theauthenticated certificate, and may determine that the short-termcredential is to be transmitted to the second user device 102.

In this way, the VSP control infrastructure 104 may provide differentcredentials to differently authenticated user devices 102 that usedifferent user interfaces to access the VPN environment. In someaspects, the VSP control infrastructure 104 may provide the long-termcredential to a user device 102 that uses an interface associated withthe authenticated certificate, and may provide the short-term credentialto a user device 102 that uses an interface not associated with theauthenticated certificate. The long-term credential may provideincreased access to the VPN environment as compared to the short-termcredential. For instance, the long-term credential may allow the firstuser device 102 to, for example, establish a secure tunnel with a VPNserver 120 associated with the VPN environment and to transmit datarequests to the VPN server 120 to receive data of interest. Theshort-term credential may allow the second user device 102 to performadministrative tasks without being able to establish the secure tunnelwith the VPN server 120. The administrative tasks may include, forexample, determining available VPN services and associated costs,editing information (e.g., address, password, etc.) associated with thesecond user device 102, or the like. Further, the long-term credentialmay allow the first user device 102 to have access to and/or remainconnected to the VPN environment for a first duration of time (e.g., onemonth) and the short-term credential may allow the second user device102 to have access to and/or remain connected to the VPN environment fora second duration of time (e.g., two hours), the first duration of timebeing longer than the second duration of time. Moreover, at anexpiration of the first duration of time, the VSP control infrastructure104 may enable the first user device 102 to renew the long-termcredential for a finite number of times (e.g., five times for a totalperiod of six months). In some aspects, the VSP control infrastructure104 may enable the second user device 102 to exchange the short-termcredential for the long-term credential when the second user device 102uses the VPN application interface associated with the authenticatedcertificate to receive access to the VPN environment. In this case, theVSP control infrastructure 104 may receive relevant information (e.g.,payment information, identity information, etc.) from the second userdevice and may transmit the authenticated certificate and/or informationassociated with the authenticated certificate to the second user device102. The second user device 102 may use the information associated withthe authenticated certificate to obtain the authenticated certificate,and use the VPN application interface associated with the authenticatedcertificate to access the VPN environment. The VSP controlinfrastructure 104 may transmit the long-term credential to the seconduser device 102 based at least in part on determining that the seconduser device 102 is using the VPN application interface that isassociated with the authenticated certificate.

As shown by reference numeral 230, the VSP control infrastructure 104may transmit credentials to the user devices 102 based at least in parton determining the interfaces used by the user devices 102. When the VSPcontrol infrastructure 104 determines that the first user device 102 isusing the VPN application interface that is associated with theauthenticated certificate, the VSP control infrastructure 104 maytransmit the long-term credential (e.g., first credential) to the firstuser device 102. Alternatively, when the VSP control infrastructure 104determines that the first user device 102 is using the VPN applicationinterface that is not associated with the authenticated certificate, theVSP control infrastructure 104 may transmit the short-term credential(e.g., second credential) to the first user device 102. With respect tothe second user device 102, the VSP control infrastructure 104 maydetermine that the second user device 102 is using the web interfacethat is not associated with the authenticated certificate, and maytransmit the short-term credential (e.g., second credential) to thesecond user device 102.

As shown by reference numeral 240, the user devices 102 may access theVPN environment based at least in part on the received credentials.

In some aspects, performing the authentication may include performingauthentications for known user devices (e.g., user device 102) and forunknown user devices (e.g., user device 102), and based at least in parton results of the authentications, the VSP control infrastructure 104may provide the long-term credential or the short-term credential. Forinstance, when a known user device 102 uses the web interface or the VPNapplication interface, the VSP control infrastructure 104 may verify anidentity associated with the known user device 102. In an example, theVSP control infrastructure 104 may verify the identity by utilizing anopen standard authorization protocol. In this case, the VSP controlinfrastructure 104 may accept information from a third-party (e.g.,Google, Facebook, etc.) indicating that an actual entity is associatedwith the known user device 102. In another example, the VSP controlinfrastructure 104 may enable the known user device 102 to verify theidentity via a confirmation mechanism (e.g., email, phone number, etc.).In this case, the VSP control infrastructure 104 may provide a codeand/or a token via, for example, an email address associated with theknown user device 102 and allow the known user device 102 to verify theidentity by providing the code and/or the token to the VSP controlinfrastructure 104. Based at least in part on the identity beingverified, the VSP control infrastructure may provide the short-termcredential to the known user device 102.

When the known user device 102 wishes to obtain the increased access tothe VPN environment, the VSP control infrastructure 104 may enable theknown user device 102 to exchange the short-term credential for thelong-term credential. In an example, when the known user device 102 isassociated with a first type of operating system (e.g., iOS, Android, orthe like), the VSP control infrastructure 104 may transmit a firebasecloud messaging (FCM) message to the known user device 102 withinformation associated with exchanging the short-term credential for thelong-term credential. In some aspects, information included in the FCMmessage may include information to be provided by the known user device102 via the VPN application interface to the VSP control infrastructure.Based at least in part on receiving the information included in the FCMmessage, the VSP control infrastructure 104 may provide the long-termcredential to the known user device 102 to be used via the VPNapplication interface. In some aspects, the VSP control infrastructure104 may provide the long-term credential in the FCM message. In anotherexample, when the known user device 102 is associated with a second typeof operating system (e.g., Windows), the VSP control infrastructure 104may transmit a specific message (e.g., magic uniform resource locator(URL) link) to the known user device 102. Information included in thespecific message may enable the known user 102 to exchange theshort-term credential for the long-term credential.

When an unknown user device 102 uses the web interface, the VSP controlinfrastructure 104 may verify an identity associated with the unknownuser device 102. In an example, the VSP control infrastructure 104 mayenable the unknown user device 102 to verify the identity via aconfirmation mechanism (e.g., email, phone number, etc.). In this case,the VSP control infrastructure 104 may provide a code and/or a tokenvia, for example, an email address associated with the unknown userdevice 102 and allow the unknown user device 102 to verify the identityby providing the code and/or the token to the VSP control infrastructure104. Based at least in part on the identity being verified, the VSPcontrol infrastructure may provide the short-term credential to theunknown user device 102.

When the unknown user device 102 wishes to obtain the increased accessto the VPN environment, the VSP control infrastructure 104 may enablethe unknown user device 102 to exchange the short-term credential forthe long-term credential. In an example, as discussed above, the VSPcontrol infrastructure 104 may transmit a firebase cloud messaging (FCM)message to the unknown user device 102 and information included in theFCM message may provide the long-term credential to be used via the VPNapplication interface. In another example, as discussed above, the VSPcontrol infrastructure 104 may transmit a specific message andinformation included in the specific message may enable the unknown userdevice 102 to exchange the short-term credential for the long-termcredential.

In some aspects, when a user device 102 creates a new account andprovides payment information (e.g., credit card number, bank accountnumber, payment (e.g., PayPal) account number, etc.), the VSP controlinfrastructure 104 may provide the user device with the long-termcredential to use via the VPN application interface.

By utilizing the above systems and techniques associated with providingan optimized authentication mechanism in a VPN, the VSP controlinfrastructure may mitigate having to maintain a plurality of APIs andto manage a plurality of authentication processes, thereby enablingefficient utilization of resources associated with the VSP controlinfrastructure (e.g., management resources, processing resources,consumed power, network bandwidth, storage resources, etc.) for moresuitable tasks associated with the VPN. Further, the VSP controlinfrastructure may mitigate instances of private data associated withthe user device becoming compromised and/or instances of damage to theuser device. Additionally, the above systems and techniques allowtracking and preventing abusive access to the VPN environment viacreation of free accounts. The above systems and techniques ensure thatuser devices can be logged off access to the VPN environment via theapplication interface upon device or credential loss.

As indicated above, FIG. 2 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 2 .

FIG. 3 is an illustration of an example process 300 associated withproviding an optimized authentication mechanism in a VPN, according tovarious aspects of the present disclosure. In some aspects, the process300 may be performed by a processor/controller (e.g., processing unit110 and/or processor 520) associated with a VSP control infrastructure(e.g., VSP control infrastructure 104). As shown by reference numeral310, process 300 includes receiving, at a processor, credential requestsfor accessing the VPN environment from a first user device using a firstinterface and from a second user device using a second interface. Forinstance, the VSP control infrastructure may utilize an associatedcommunication interface (e.g., communication interface 570) along withthe associated processor/controller to receive credential requests foraccessing the VPN environment from a first user device using a firstinterface and from a second user device using a second interface, asdiscussed elsewhere herein.

As shown by reference numeral 320, process 300 includes transmitting, tothe first user device, a first credential based at least in part on thefirst user device using the first interface. For instance, the VSPcontrol infrastructure may utilize the communication interface and theassociated processor/controller to transmit, to the first user device, afirst credential based at least in part on the first user device usingthe first interface, as discussed elsewhere herein.

As shown by reference numeral 330, process 300 includes transmitting, tothe second user device, a second credential based at least in part onthe second user device using the second interface, the first credentialbeing different from the second credential. For instance, the VSPcontrol infrastructure may utilize the communication interface and theassociated processor/controller to transmit, to the second user device,a second credential based at least in part on the second user deviceusing the second interface, the first credential being different fromthe second credential, as discussed elsewhere herein.

Process 300 may include additional aspects, such as any single aspect orany combination of aspects described below and/or in connection with oneor more other processes described elsewhere herein.

In a first aspect, process 300 includes determining that the first userdevice is using the first interface and that the second user device isusing the second interface.

In a second aspect, alone or in combination with the first aspect,process 300 includes transmitting the second credential to the firstuser device in exchange for the first credential based at least in parton determining that the first user device is now using the secondinterface and is associated with an authenticated certificate.

In a third aspect, alone or in combination with the first through secondaspects, in process 300, the first credential providing access for afirst duration of time and the second credential providing access for asecond duration of time, the first duration of time being longer thanthe second duration of time.

In a fourth aspect, alone or in combination with the first through thirdaspects, in process 300, the first credential providing access forperforming a first set of operations and the second credential providingaccess for performing a second set of operations, the first set ofoperations being different than the second set of operations.

In a fifth aspect, alone or in combination with the first through fourthaspects, in process 300, the first interface includes a VPN applicationinterface associated with the VPN environment and the second interfaceincludes a web interface.

In a sixth aspect, alone or in combination with the first through fifthaspects, in process 300, transmitting the first credential includestransmitting the first credential based at least in part on determiningthat the first interface is associated with an authenticatedcertificate.

Although FIG. 3 shows example blocks of the process, in some aspects,the process may include additional blocks, fewer blocks, differentblocks, or differently arranged blocks than those depicted in FIG. 3 .Additionally, or alternatively, two or more of the blocks of the processmay be performed in parallel.

As indicated above, FIG. 3 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 3 .

FIG. 4 is an illustration of an example process 400 associated withproviding an optimized authentication mechanism in a VPN, according tovarious aspects of the present disclosure. In some aspects, the process300 may be performed by a processor/controller (e.g., processing unit110 and/or processor 520) associated with a VSP control infrastructure(e.g., VSP control infrastructure 104) and a processor/controller (e.g.,processing unit 110 and/or processor 520) associated with a user device(e.g., user device 102). As shown by reference numeral 410, process 400includes receiving, at a processor from a user device, a credentialrequest for accessing the VPN environment. For instance, the VSP controlinfrastructure may utilize the associated memory and processor toreceive, from a user device, a credential request for accessing the VPNenvironment, as discussed elsewhere herein.

As shown by reference numeral 420, process 400 includes transmitting, bythe processor to the user device, a short-term credential based at leastin part on determining that the user device is not associated with anauthenticated certificate. For instance, the VSP control infrastructuremay utilize the associated memory and processor to transmit, to the userdevice, a short-term credential based at least in part on determiningthat the user device is not associated with an authenticatedcertificate, as discussed elsewhere herein.

As shown by reference numeral 430, process 400 includes transmitting, bythe processor to the user device, information associated with theauthenticated certificate to enable the user device to exchange theshort-term credential for a long-term credential. For instance, the VSPcontrol infrastructure may utilize the associated memory/processor andan associated communication interface (e.g., communication interface570) to transmit, by the processor to the user device, informationassociated with the authenticated certificate to enable the user deviceto exchange the short-term credential for a long-term credential, asdiscussed elsewhere herein.

As shown by reference numeral 440, process 400 includes transmitting, bythe processor to the user device, the long-term credential based atleast in part on determining that the user device is associated with theauthenticated certificate. For instance, the VSP control infrastructuremay utilize the associated memory/processor and the associatedcommunication interface to transmit, to the user device, the long-termcredential based at least in part on determining that the user device isassociated with the authenticated certificate, as discussed elsewhereherein.

Process 400 may include additional aspects, such as any single aspect orany combination of aspects described below and/or in connection with oneor more other processes described elsewhere herein.

In a first aspect, in process 400, receiving the credential requestincludes receiving the credential request via a web interface or a VPNapplication interface associated with the VPN environment.

In a second aspect, alone or in combination with the first aspect, inprocess 400, the short-term credential provides access for a firstduration of time and the long-term credential provides access for asecond duration of time, the first duration of time being shorter thanthe second duration of time.

In a third aspect, alone or in combination with the first through secondaspects, in process 400, the short-term credential provides access forperforming a first set of operations and the long-term credentialprovides access for performing a second set of operations, the first setof operations being different than the second set of operations.

In a fourth aspect, alone or in combination with the first through thirdaspects, process 400 includes determining that the user device is notassociated with the authenticated certificate based at least in part ondetermining that the user device is using a web interface.

In a fifth aspect, alone or in combination with the first through fourthaspects, process 400 includes determining that the user device isassociated with the authenticated certificate based at least in part ondetermining that the user device is using a VPN application interface.

In a sixth aspect, alone or in combination with the first through fifthaspects, process 400 includes transmitting, by the processor to the userdevice, information associated with renewing the long-term credential.

Although FIG. 4 shows example blocks of the process, in some aspects,the process may include additional blocks, fewer blocks, differentblocks, or differently arranged blocks than those depicted in FIG. 4 .Additionally, or alternatively, two or more of the blocks of the processmay be performed in parallel.

As indicated above, FIG. 4 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 4 .

FIG. 5 is an illustration of example devices 500, according to variousaspects of the present disclosure. In some aspects, the example devices500 may form part of or implement the systems, environments,infrastructures, components, or the like described elsewhere herein(e.g., FIG. 1 and/or FIG. 2 ) and may be used to perform the exampleprocesses described elsewhere herein. The example devices 500 mayinclude a universal bus 510 communicatively coupling a processor 520, amemory 530, a storage component 540, an input component 550, an outputcomponent 560, and a communication interface 570.

Bus 510 may include a component that permits communication amongmultiple components of a device 500. Processor 520 may be implemented inhardware, firmware, and/or a combination of hardware and software.Processor 520 may take the form of a central processing unit (CPU), agraphics processing unit (GPU), an accelerated processing unit (APU), amicroprocessor, a microcontroller, a digital signal processor (DSP), afield-programmable gate array (FPGA), an application-specific integratedcircuit (ASIC), or another type of processing component. In someaspects, processor 520 may include one or more processors capable ofbeing programmed to perform a function. Memory 530 may include a randomaccess memory (RAM), a read only memory (ROM), and/or another type ofdynamic or static storage device (e.g., a flash memory, a magneticmemory, and/or an optical memory) that stores information and/orinstructions for use by processor 520.

Storage component 540 may store information and/or software related tothe operation and use of a device 500. For example, storage component540 may include a hard disk (e.g., a magnetic disk, an optical disk,and/or a magneto-optic disk), a solid state drive (SSD), a compact disc(CD), a digital versatile disc (DVD), a floppy disk, a cartridge, amagnetic tape, and/or another type of non-transitory computer-readablemedium, along with a corresponding drive.

Input component 550 may include a component that permits a device 500 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, and/or amicrophone). Additionally, or alternatively, input component 550 mayinclude a component for determining location (e.g., a global positioningsystem (GPS) component) and/or a sensor (e.g., an accelerometer, agyroscope, an actuator, another type of positional or environmentalsensor, and/or the like). Output component 560 may include a componentthat provides output information from device 500 (via, for example, adisplay, a speaker, a haptic feedback component, an audio or visualindicator, and/or the like).

Communication interface 570 may include a transceiver-like component(e.g., a transceiver, a separate receiver, a separate transmitter,and/or the like) that enables a device 500 to communicate with otherdevices, such as via a wired connection, a wireless connection, or acombination of wired and wireless connections. Communication interface570 may permit device 500 to receive information from another deviceand/or provide information to another device. For example, communicationinterface 570 may include an Ethernet interface, an optical interface, acoaxial interface, an infrared interface, a radio frequency (RF)interface, a universal serial bus (USB) interface, a Wi-Fi interface, acellular network interface, and/or the like.

A device 500 may perform one or more processes described elsewhereherein. A device 500 may perform these processes based on processor 520executing software instructions stored by a non-transitorycomputer-readable medium, such as memory 530 and/or storage component540. As used herein, the term “computer-readable medium” may refer to anon-transitory memory device. A memory device may include memory spacewithin a single physical storage device or memory space spread acrossmultiple physical storage devices.

Software instructions may be read into memory 530 and/or storagecomponent 540 from another computer-readable medium or from anotherdevice via communication interface 570. When executed, softwareinstructions stored in memory 530 and/or storage component 540 may causeprocessor 520 to perform one or more processes described elsewhereherein. Additionally, or alternatively, hardware circuitry may be usedin place of or in combination with software instructions to perform oneor more processes described elsewhere herein. Thus, implementationsdescribed herein are not limited to any specific combination of hardwarecircuitry and software.

The quantity and arrangement of components shown in FIG. 5 are providedas an example. In practice, a device 500 may include additionalcomponents, fewer components, different components, or differentlyarranged components than those shown in FIG. 5 . Additionally, oralternatively, a set of components (e.g., one or more components) of adevice 500 may perform one or more functions described as beingperformed by another set of components of a device 500.

As indicated above, FIG. 5 is provided as an example. Other examples maydiffer from what is described with regard to FIG. 5 .

Persons of ordinary skill in the art will appreciate that the aspectsencompassed by the present disclosure are not limited to the particularexemplary aspects described herein. In that regard, althoughillustrative aspects have been shown and described, a wide range ofmodification, change, and substitution is contemplated in the foregoingdisclosure. It is understood that such variations may be made to theaspects without departing from the scope of the present disclosure.Accordingly, it is appropriate that the appended claims be construedbroadly and in a manner consistent with the present disclosure.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the aspects to the preciseform disclosed. Modifications and variations may be made in light of theabove disclosure or may be acquired from practice of the aspects.

As used herein, the term “component” is intended to be broadly construedas hardware, firmware, or a combination of hardware and software. Asused herein, a processor is implemented in hardware, firmware, or acombination of hardware and software.

As used herein, satisfying a threshold may, depending on the context,refer to a value being greater than the threshold, greater than or equalto the threshold, less than the threshold, less than or equal to thethreshold, equal to the threshold, or not equal to the threshold, amongother examples, or combinations thereof.

It will be apparent that systems or methods described herein may beimplemented in different forms of hardware, firmware, or a combinationof hardware and software. The actual specialized control hardware orsoftware code used to implement these systems or methods is not limitingof the aspects. Thus, the operation and behavior of the systems ormethods were described herein without reference to specific softwarecode-it being understood that software and hardware can be designed toimplement the systems or methods based, at least in part, on thedescription herein.

Even though particular combinations of features are recited in theclaims or disclosed in the specification, these combinations are notintended to limit the disclosure of various aspects. In fact, many ofthese features may be combined in ways not specifically recited in theclaims or disclosed in the specification. Although each dependent claimlisted below may directly depend on only one claim, the disclosure ofvarious aspects includes each dependent claim in combination with everyother claim in the claim set. A phrase referring to “at least one of” alist of items refers to any combination of those items, including singlemembers. As an example, “at least one of: a, b, or c” is intended tocover a, b, c, a-b, a-c, b-c, and a-b-c, as well as any combination withmultiples of the same element (for example, a-a, a-a-a, a-a-b, a-a-c,a-b-b, a-c-c, b-b, b-b-b, b-b-c, c-c, and c-c-c or any other ordering ofa, b, and c).

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Further, asused herein, the article “the” is intended to include one or more itemsreferenced in connection with the article “the” and may be usedinterchangeably with “the one or more.” Furthermore, as used herein, theterm “set” is intended to include one or more items (e.g., relateditems, unrelated items, a combination of related and unrelated items,etc.), and may be used interchangeably with “one or more.” Where onlyone item is intended, the phrase “only one” or similar language is used.Also, as used herein, the terms “has,” “have,” “having,” or the like areintended to be open-ended terms. Further, the phrase “based on” isintended to mean “based, at least in part, on” unless explicitly statedotherwise. Also, as used herein, the term “or” is intended to beinclusive when used in a series and may be used interchangeably with“and/or,” unless explicitly stated otherwise (e.g., if used incombination with “either” or “only one of”).

What is claimed is:
 1. A method in a virtual private network (VPN)environment, the method comprising: receiving, at a processor from auser device, a credential request for accessing the VPN environment;transmitting, by the processor to the user device, a short-termcredential based at least in part on determining that the user device isnot associated with an authenticated certificate; and transmitting, bythe processor to the user device, information associated with theauthenticated certificate to enable the user device to exchange theshort-term credential for a long-term credential; and transmitting, bythe processor to the user device, the long-term credential based atleast in part on determining that the user device is associated with theauthenticated certificate.
 2. The method of claim 1, wherein receivingthe credential request includes receiving the credential request via aweb interface or a VPN application interface associated with the VPNenvironment.
 3. The method of claim 1, wherein the short-term credentialprovides access for a first duration of time and the long-termcredential provides access for a second duration of time, the firstduration of time being shorter than the second duration of time.
 4. Themethod of claim 1, wherein the short-term credential provides access forperforming a first set of operations and the long-term credentialprovides access for performing a second set of operations, the first setof operations being different than the second set of operations.
 5. Themethod of claim 1, further comprising: determining that the user deviceis not associated with the authenticated certificate based at least inpart on determining that the user device is using a web interface. 6.The method of claim 1, further comprising: determining that the userdevice is associated with the authenticated certificate based at leastin part on determining that the user device is using a VPN applicationinterface.
 7. The method of claim 1, further comprising: transmitting,by the processor to the user device, information associated withrenewing the long-term credential.
 8. A device associated with a virtualprivate network (VPN), the device comprising: a memory; and a processorcommunicatively coupled to the memory, the memory and the processorbeing configured to: receive, from a user device, a credential requestfor accessing the VPN environment; transmit, to the user device, ashort-term credential based at least in part on determining that theuser device is not associated with an authenticated certificate; andtransmit, to the user device, information associated with theauthenticated certificate to enable the user device to exchange theshort-term credential for a long-term credential; and transmit, to theuser device, the long-term credential based at least in part ondetermining that the user device is associated with the authenticatedcertificate.
 9. The device of claim 8, wherein, to receive thecredential request, the memory and the processor are configured toreceive the credential request via a web interface or a VPN applicationinterface associated with the VPN environment.
 10. The device of claim8, wherein the short-term credential provides access for a firstduration of time and the long-term credential provides access for asecond duration of time, the first duration of time being shorter thanthe second duration of time.
 11. The device of claim 8, wherein theshort-term credential provides access for performing a first set ofoperations and the long-term credential provides access for performing asecond set of operations, the first set of operations being differentthan the second set of operations.
 12. The device of claim 8, whereinthe memory and the processor are configured to determine that the userdevice is not associated with the authenticated certificate based atleast in part on determining that the user device is using a webinterface.
 13. The device of claim 8, wherein the memory and theprocessor are configured to determine that the user device is associatedwith the authenticated certificate based at least in part on determiningthat the user device is using a VPN application interface.
 14. Thedevice of claim 8, wherein the memory and the processor are configuredto transmit, to the user device, information associated with renewingthe long-term credential.
 15. A non-transitory computer-readable mediumconfigured to store instructions, which when executed by a processorassociated with a virtual private network (VPN), cause the processor to:receive, from a user device, a credential request for accessing the VPNenvironment; transmit, to the user device, a short-term credential basedat least in part on determining that the user device is not associatedwith an authenticated certificate; and transmit, to the user device,information associated with the authenticated certificate to enable theuser device to exchange the short-term credential for a long-termcredential; and transmit, to the user device, the long-term credentialbased at least in part on determining that the user device is associatedwith the authenticated certificate.
 16. The non-transitorycomputer-readable medium of claim 15, wherein, to receive the credentialrequest, the processor is configured to receive the credential requestvia a web interface or a VPN application interface associated with theVPN environment.
 17. The non-transitory computer-readable medium ofclaim 15, wherein the short-term credential provides access for a firstduration of time and the long-term credential provides access for asecond duration of time, the first duration of time being shorter thanthe second duration of time.
 18. The non-transitory computer-readablemedium of claim 15, wherein the short-term credential provides accessfor performing a first set of operations and the long-term credentialprovides access for performing a second set of operations, the first setof operations being different than the second set of operations.
 19. Thenon-transitory computer-readable medium of claim 15, wherein theprocessor is configured to determine that the user device is notassociated with the authenticated certificate based at least in part ondetermining that the user device is using a web interface.
 20. Thenon-transitory computer-readable medium of claim 15, wherein theprocessor is configured to determine that the user device is associatedwith the authenticated certificate based at least in part on determiningthat the user device is using a VPN application interface.